[Openid-specs-fapi] Issue #120: CIBA: x-fapi-device-id header (openid/fapi)

Dave Tonge issues-reply at bitbucket.org
Wed Jul 19 13:53:50 UTC 2017

New issue 120: CIBA: x-fapi-device-id header

Dave Tonge:

For CIBA flows it doesn't always make sense for the client to send customer ip address or last logged in headers.

However it may be beneficial to send an identifier for the "consumption device", I've got this wording in the current draft of the FAPI CIBA profile:

In situations where the client does not control the consumption device, 
the client
 - shall not send x-fapi-customer-ip-address or x-fapi-customer-last-logged-time headers;
 - should send a x-fapi-device-id header which contains an identifier of the consumption device used by the customer.

NOTE: It may be useful for an FI’s fraud systems to know the device that is 
the source of payment initiation requests, hence the recommendation for 
the x-fapi-device-id header.

I'd welcome feedback on this.

Responsible: dgtonge

More information about the Openid-specs-fapi mailing list